Security News > 2022 > March > Veeam fixes critical RCEs in backup solution (CVE-2022-26500, CVE-2022-26501)
Veeam Software has patched two critical vulnerabilities affecting its popular Veeam Backup & Replication solution, which could be exploited by unauthenticated attackers to remotely execute malicious code.
Veeam Backup & Replication is an enteprise data protection solution that allows admins to create image-level backups of virtual, physical, cloud machines and restore from them.
According to the company's latest shared information, more than 450,000 users have downloaded Veeam Backup & Replication v11 since its launch in Q1 2021.
Veeam simply noted that "The Veeam Distribution Service allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code."
Veeam Backup & Replication v9.5, 10 and 11 are affected, and patches have been provided for the latter two.
"The vulnerable process Veeam.Backup.PSManager.exe allows authentication using non-administrative domain credentials. A remote attacker may use the vulnerable component to execute arbitrary code," the company shared, but added that the default Veeam Backup & Replication installation is not vulnerable to this issue.
News URL
https://www.helpnetsecurity.com/2022/03/15/cve-2022-26500-cve-2022-26501/
Related news
- Fortinet warns of critical RCE bug in endpoint management software (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- HPE Aruba Networking fixes four critical RCE flaws in ArubaOS (source)
- Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks (source)